Thursday, October 6, 2011

SELinux for enhanced headaches


Security Enhanced Linux (SELinux) is a new extra hidden layer of permissions that makes configuring things more difficult, without ever identifying itself as the culprit - kind of like ACLs but more cryptic. Though it may be more secure, it is not an enhancing experience to deal with, and probably not worth it for the average user.

For example to have Apache serve personal websites (i.e. http://server/~leipzig) it is no longer enough to alter httpd.conf, because you will get mysterious 403 errors until you do this (as others have experienced):
chcon -R -t httpd_sys_content_t /home/leipzig

You forget about this change until xauth starts complaining about stuff for no apparent reason:
/usr/bin/xauth:  timeout in locking authority file /home/leipzig/.Xauthority

so of course you need to do this (thanks Madhav Diwan for this post):
chcon unconfined_u:object_r:user_home_dir_t:s0 /home/leipzig

I have no idea what these things actually mean, nor any real interest in learning. I'm sure this stuff is great for sysadmin cocktail chat but at least for private servers it is just another the brake on the wheel of getting things done. For the time being I have set the level to "permissive", which means it displays warnings but does not interfere, but am leaning toward "disabled" or maybe something else:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=excoriated
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

More on the pros and cons:
http://unix.stackexchange.com/questions/9163/does-selinux-provide-enough-extra-security-to-be-worth-the-hassle-of-learning-set

No comments:

Post a Comment